Class: OneLogin::RubySaml::Utils
- Inherits:
-
Object
- Object
- OneLogin::RubySaml::Utils
- Defined in:
- lib/onelogin/ruby-saml/utils.rb
Overview
SAML2 Auxiliary class
Constant Summary collapse
- BINDINGS =
{ :post => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze, :redirect => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze }.freeze
- DSIG =
"http://www.w3.org/2000/09/xmldsig#".freeze
- XENC =
"http://www.w3.org/2001/04/xmlenc#".freeze
- DURATION_FORMAT =
%r(^ (-?)P # 1: Duration sign (?: (?:(\d+)Y)? # 2: Years (?:(\d+)M)? # 3: Months (?:(\d+)D)? # 4: Days (?:T (?:(\d+)H)? # 5: Hours (?:(\d+)M)? # 6: Minutes (?:(\d+(?:[.,]\d+)?)S)? # 7: Seconds )? | (\d+)W # 8: Weeks ) $)x.freeze
- UUID_PREFIX =
'_'
- @@uuid_generator =
UUID.new
Class Method Summary collapse
-
.build_query(params) ⇒ String
Build the Query String signature that will be used in the HTTP-Redirect binding to generate the Signature.
-
.build_query_from_raw_parts(params) ⇒ String
Reconstruct a canonical query string from raw URI-encoded parts, to be used in verifying a signature.
-
.decrypt_data(encrypted_node, private_key) ⇒ String
Obtains the decrypted string from an Encrypted node element in XML.
-
.element_text(element) ⇒ Object
Given a REXML::Element instance, return the concatenation of all child text nodes.
- .escape_request_param(param, lowercase_url_encoding) ⇒ Object
-
.format_cert(cert) ⇒ String
Return a properly formatted x509 certificate.
-
.format_private_key(key) ⇒ String
Return a properly formatted private key.
-
.is_cert_expired(cert) ⇒ Object
Checks if the x509 cert provided is expired.
-
.original_uri_match?(destination_url, settings_url) ⇒ Boolean
If Rails’ URI.parse can’t match to valid URL, default back to the original matching service.
-
.parse_duration(duration, timestamp = Time.now.utc) ⇒ Integer
Interprets a ISO8601 duration value relative to a given timestamp.
-
.prepare_raw_get_params(rawparams, params, lowercase_url_encoding = false) ⇒ Hash
Prepare raw GET parameters (build them from normal parameters if not provided).
-
.retrieve_plaintext(cipher_text, symmetric_key, algorithm) ⇒ String
Obtains the deciphered text.
- .retrieve_symetric_key_reference(encrypt_data) ⇒ Object
-
.retrieve_symmetric_key(encrypt_data, private_key) ⇒ String
Obtains the symmetric key from the EncryptedData element.
- .set_prefix(value) ⇒ Object
-
.status_error_msg(error_msg, raw_status_code = nil, status_message = nil) ⇒ String
Build the status error message.
-
.uri_match?(destination_url, settings_url) ⇒ Boolean
Given two strings, attempt to match them as URIs using Rails’ parse method.
- .uuid ⇒ Object
-
.verify_signature(params) ⇒ Boolean
Validate the Signature parameter sent on the HTTP-Redirect binding.
Class Method Details
.build_query(params) ⇒ String
Build the Query String signature that will be used in the HTTP-Redirect binding to generate the Signature
140 141 142 143 144 145 146 |
# File 'lib/onelogin/ruby-saml/utils.rb', line 140 def self.build_query(params) type, data, relay_state, sig_alg = [:type, :data, :relay_state, :sig_alg].map { |k| params[k]} url_string = "#{type}=#{CGI.escape(data)}" url_string << "&RelayState=#{CGI.escape(relay_state)}" if relay_state url_string << "&SigAlg=#{CGI.escape(sig_alg)}" end |
.build_query_from_raw_parts(params) ⇒ String
Reconstruct a canonical query string from raw URI-encoded parts, to be used in verifying a signature
157 158 159 160 161 162 163 |
# File 'lib/onelogin/ruby-saml/utils.rb', line 157 def self.build_query_from_raw_parts(params) type, raw_data, raw_relay_state, raw_sig_alg = [:type, :raw_data, :raw_relay_state, :raw_sig_alg].map { |k| params[k]} url_string = "#{type}=#{raw_data}" url_string << "&RelayState=#{raw_relay_state}" if raw_relay_state url_string << "&SigAlg=#{raw_sig_alg}" end |
.decrypt_data(encrypted_node, private_key) ⇒ String
Obtains the decrypted string from an Encrypted node element in XML
243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 |
# File 'lib/onelogin/ruby-saml/utils.rb', line 243 def self.decrypt_data(encrypted_node, private_key) encrypt_data = REXML::XPath.first( encrypted_node, "./xenc:EncryptedData", { 'xenc' => XENC } ) symmetric_key = retrieve_symmetric_key(encrypt_data, private_key) cipher_value = REXML::XPath.first( encrypt_data, "./xenc:CipherData/xenc:CipherValue", { 'xenc' => XENC } ) node = Base64.decode64(element_text(cipher_value)) encrypt_method = REXML::XPath.first( encrypt_data, "./xenc:EncryptionMethod", { 'xenc' => XENC } ) algorithm = encrypt_method.attributes['Algorithm'] retrieve_plaintext(node, symmetric_key, algorithm) end |
.element_text(element) ⇒ Object
Given a REXML::Element instance, return the concatenation of all child text nodes. Assumes that there all children other than text nodes can be ignored (e.g. comments). If nil is passed, nil will be returned.
384 385 386 |
# File 'lib/onelogin/ruby-saml/utils.rb', line 384 def self.element_text(element) element.texts.map(&:value).join if element end |
.escape_request_param(param, lowercase_url_encoding) ⇒ Object
192 193 194 195 196 197 198 |
# File 'lib/onelogin/ruby-saml/utils.rb', line 192 def self.escape_request_param(param, lowercase_url_encoding) CGI.escape(param).tap do |escaped| next unless lowercase_url_encoding escaped.gsub!(/%[A-Fa-f0-9]{2}/) { |match| match.downcase } end end |
.format_cert(cert) ⇒ String
Return a properly formatted x509 certificate
85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 |
# File 'lib/onelogin/ruby-saml/utils.rb', line 85 def self.format_cert(cert) # don't try to format an encoded certificate or if is empty or nil if cert.respond_to?(:ascii_only?) return cert if cert.nil? || cert.empty? || !cert.ascii_only? else return cert if cert.nil? || cert.empty? || cert.match(/\x0d/) end if cert.scan(/BEGIN CERTIFICATE/).length > 1 formatted_cert = [] cert.scan(/-{5}BEGIN CERTIFICATE-{5}[\n\r]?.*?-{5}END CERTIFICATE-{5}[\n\r]?/m) {|c| formatted_cert << format_cert(c) } formatted_cert.join("\n") else cert = cert.gsub(/\-{5}\s?(BEGIN|END) CERTIFICATE\s?\-{5}/, "") cert = cert.gsub(/\r/, "") cert = cert.gsub(/\n/, "") cert = cert.gsub(/\s/, "") cert = cert.scan(/.{1,64}/) cert = cert.join("\n") "-----BEGIN CERTIFICATE-----\n#{cert}\n-----END CERTIFICATE-----" end end |
.format_private_key(key) ⇒ String
Return a properly formatted private key
115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 |
# File 'lib/onelogin/ruby-saml/utils.rb', line 115 def self.format_private_key(key) # don't try to format an encoded private key or if is empty return key if key.nil? || key.empty? || key.match(/\x0d/) # is this an rsa key? rsa_key = key.match("RSA PRIVATE KEY") key = key.gsub(/\-{5}\s?(BEGIN|END)( RSA)? PRIVATE KEY\s?\-{5}/, "") key = key.gsub(/\n/, "") key = key.gsub(/\r/, "") key = key.gsub(/\s/, "") key = key.scan(/.{1,64}/) key = key.join("\n") key_label = rsa_key ? "RSA PRIVATE KEY" : "PRIVATE KEY" "-----BEGIN #{key_label}-----\n#{key}\n-----END #{key_label}-----" end |
.is_cert_expired(cert) ⇒ Object
Checks if the x509 cert provided is expired
41 42 43 44 45 46 47 |
# File 'lib/onelogin/ruby-saml/utils.rb', line 41 def self.is_cert_expired(cert) if cert.is_a?(String) cert = OpenSSL::X509::Certificate.new(cert) end return cert.not_after < Time.now end |
.original_uri_match?(destination_url, settings_url) ⇒ Boolean
If Rails’ URI.parse can’t match to valid URL, default back to the original matching service.
377 378 379 |
# File 'lib/onelogin/ruby-saml/utils.rb', line 377 def self.original_uri_match?(destination_url, settings_url) destination_url == settings_url end |
.parse_duration(duration, timestamp = Time.now.utc) ⇒ Integer
Interprets a ISO8601 duration value relative to a given timestamp.
58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 |
# File 'lib/onelogin/ruby-saml/utils.rb', line 58 def self.parse_duration(duration, =Time.now.utc) return nil if RUBY_VERSION < '1.9' # 1.8.7 not supported matches = duration.match(DURATION_FORMAT) if matches.nil? raise Exception.new("Invalid ISO 8601 duration") end sign = matches[1] == '-' ? -1 : 1 durYears, durMonths, durDays, durHours, durMinutes, durSeconds, durWeeks = matches[2..8].map { |match| match ? sign * match.tr(',', '.').to_f : 0.0 } initial_datetime = Time.at().utc.to_datetime final_datetime = initial_datetime.next_year(durYears) final_datetime = final_datetime.next_month(durMonths) final_datetime = final_datetime.next_day((7*durWeeks) + durDays) = final_datetime.to_time.utc.to_i + (durHours * 3600) + (durMinutes * 60) + durSeconds return end |
.prepare_raw_get_params(rawparams, params, lowercase_url_encoding = false) ⇒ Hash
Prepare raw GET parameters (build them from normal parameters if not provided).
173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 |
# File 'lib/onelogin/ruby-saml/utils.rb', line 173 def self.prepare_raw_get_params(rawparams, params, lowercase_url_encoding=false) rawparams ||= {} if rawparams['SAMLRequest'].nil? && !params['SAMLRequest'].nil? rawparams['SAMLRequest'] = escape_request_param(params['SAMLRequest'], lowercase_url_encoding) end if rawparams['SAMLResponse'].nil? && !params['SAMLResponse'].nil? rawparams['SAMLResponse'] = escape_request_param(params['SAMLResponse'], lowercase_url_encoding) end if rawparams['RelayState'].nil? && !params['RelayState'].nil? rawparams['RelayState'] = escape_request_param(params['RelayState'], lowercase_url_encoding) end if rawparams['SigAlg'].nil? && !params['SigAlg'].nil? rawparams['SigAlg'] = escape_request_param(params['SigAlg'], lowercase_url_encoding) end rawparams end |
.retrieve_plaintext(cipher_text, symmetric_key, algorithm) ⇒ String
Obtains the deciphered text
308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 |
# File 'lib/onelogin/ruby-saml/utils.rb', line 308 def self.retrieve_plaintext(cipher_text, symmetric_key, algorithm) case algorithm when 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' then cipher = OpenSSL::Cipher.new('DES-EDE3-CBC').decrypt when 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' then cipher = OpenSSL::Cipher.new('AES-128-CBC').decrypt when 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' then cipher = OpenSSL::Cipher.new('AES-192-CBC').decrypt when 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' then cipher = OpenSSL::Cipher.new('AES-256-CBC').decrypt when 'http://www.w3.org/2009/xmlenc11#aes128-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(128, :GCM).decrypt when 'http://www.w3.org/2009/xmlenc11#aes192-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(192, :GCM).decrypt when 'http://www.w3.org/2009/xmlenc11#aes256-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(256, :GCM).decrypt when 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' then rsa = symmetric_key when 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' then oaep = symmetric_key end if cipher iv_len = cipher.iv_len data = cipher_text[iv_len..-1] cipher.padding, cipher.key, cipher.iv = 0, symmetric_key, cipher_text[0..iv_len-1] assertion_plaintext = cipher.update(data) assertion_plaintext << cipher.final elsif auth_cipher iv_len, text_len, tag_len = auth_cipher.iv_len, cipher_text.length, 16 data = cipher_text[iv_len..text_len-1-tag_len] auth_cipher.padding = 0 auth_cipher.key = symmetric_key auth_cipher.iv = cipher_text[0..iv_len-1] auth_cipher.auth_data = '' auth_cipher.auth_tag = cipher_text[text_len-tag_len..-1] assertion_plaintext = auth_cipher.update(data) assertion_plaintext << auth_cipher.final elsif rsa rsa.private_decrypt(cipher_text) elsif oaep oaep.private_decrypt(cipher_text, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING) else cipher_text end end |
.retrieve_symetric_key_reference(encrypt_data) ⇒ Object
295 296 297 298 299 300 301 |
# File 'lib/onelogin/ruby-saml/utils.rb', line 295 def self.retrieve_symetric_key_reference(encrypt_data) REXML::XPath.first( encrypt_data, "substring-after(./ds:KeyInfo/ds:RetrievalMethod/@URI, '#')", { "ds" => DSIG } ) end |
.retrieve_symmetric_key(encrypt_data, private_key) ⇒ String
Obtains the symmetric key from the EncryptedData element
269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 |
# File 'lib/onelogin/ruby-saml/utils.rb', line 269 def self.retrieve_symmetric_key(encrypt_data, private_key) encrypted_key = REXML::XPath.first( encrypt_data, "./ds:KeyInfo/xenc:EncryptedKey | ./KeyInfo/xenc:EncryptedKey | //xenc:EncryptedKey[@Id=$id]", { "ds" => DSIG, "xenc" => XENC }, { "id" => self.retrieve_symetric_key_reference(encrypt_data) } ) encrypted_symmetric_key_element = REXML::XPath.first( encrypted_key, "./xenc:CipherData/xenc:CipherValue", "xenc" => XENC ) cipher_text = Base64.decode64(element_text(encrypted_symmetric_key_element)) encrypt_method = REXML::XPath.first( encrypted_key, "./xenc:EncryptionMethod", "xenc" => XENC ) algorithm = encrypt_method.attributes['Algorithm'] retrieve_plaintext(cipher_text, private_key, algorithm) end |
.set_prefix(value) ⇒ Object
346 347 348 |
# File 'lib/onelogin/ruby-saml/utils.rb', line 346 def self.set_prefix(value) UUID_PREFIX.replace value end |
.status_error_msg(error_msg, raw_status_code = nil, status_message = nil) ⇒ String
Build the status error message
218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 |
# File 'lib/onelogin/ruby-saml/utils.rb', line 218 def self.status_error_msg(error_msg, raw_status_code = nil, = nil) unless raw_status_code.nil? if raw_status_code.include? "|" status_codes = raw_status_code.split(' | ') values = status_codes.collect do |status_code| status_code.split(':').last end printable_code = values.join(" => ") else printable_code = raw_status_code.split(':').last end error_msg << ', was ' + printable_code end unless .nil? error_msg << ' -> ' + end error_msg end |
.uri_match?(destination_url, settings_url) ⇒ Boolean
Given two strings, attempt to match them as URIs using Rails’ parse method. If they can be parsed, then the fully-qualified domain name and the host should performa a case-insensitive match, per the RFC for URIs. If Rails can not parse the string in to URL pieces, return a boolean match of the two strings. This maintains the previous functionality.
359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 |
# File 'lib/onelogin/ruby-saml/utils.rb', line 359 def self.uri_match?(destination_url, settings_url) dest_uri = URI.parse(destination_url) acs_uri = URI.parse(settings_url) if dest_uri.scheme.nil? || acs_uri.scheme.nil? || dest_uri.host.nil? || acs_uri.host.nil? raise URI::InvalidURIError else dest_uri.scheme.downcase == acs_uri.scheme.downcase && dest_uri.host.downcase == acs_uri.host.downcase && dest_uri.path == acs_uri.path && dest_uri.query == acs_uri.query end rescue URI::InvalidURIError original_uri_match?(destination_url, settings_url) end |
.uuid ⇒ Object
350 351 352 |
# File 'lib/onelogin/ruby-saml/utils.rb', line 350 def self.uuid "#{UUID_PREFIX}" + (RUBY_VERSION < '1.9' ? "#{@@uuid_generator.generate}" : "#{SecureRandom.uuid}") end |
.verify_signature(params) ⇒ Boolean
Validate the Signature parameter sent on the HTTP-Redirect binding
208 209 210 211 212 |
# File 'lib/onelogin/ruby-saml/utils.rb', line 208 def self.verify_signature(params) cert, sig_alg, signature, query_string = [:cert, :sig_alg, :signature, :query_string].map { |k| params[k]} signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(sig_alg) return cert.public_key.verify(signature_algorithm.new, Base64.decode64(signature), query_string) end |